just another infosec blog

The CIA triad

The CIA method is well-known in the security industry and are made up of three principles. The principles are Confidentiality, Integrity and Availability. I will be covering these briefly in this post. The reason for bringing this up is this: if you are going to work with information security you must have a clear grip on what the CIA triad means.

What is it?

Techopedia defines the CIA triad like this:

“The CIA (Confidentiality, Integrity, and Availability) triad of information security is an information security benchmark model used to evaluate the information security of an organization. The CIA triad of information security implements security using three key areas related to information systems including confidentiality, integrity and availability.” – techopedia.com

In this definition we clearly see that it targets organizations. It is not limited to just organizations . You can apply it to any situation that may arise – even for personal use.

The model is often depicted like this:

As we can see, and already mentioned, the triad contains three principles – Confidentiality, Integrity and Availability. These are the core principles that make the foundation of security thinking. Notice the triad itself. There is a reason it being depicted like this. It perfectly shows how the various principles connects to each other. A change in on principle may conflict affect the adjoined principles.

Some people think that this model is not complete. Every now and then a discussion on extending it pops up. People discuss back and forth if other principles should be put into it. Principles such as accountability and access control. For now I am not going to discuss that and just stick to what is.

The principles

I think the model explains itself quite nice – but I’ll throw in some words to elaborate it. Here goes!

Confidentiality

Private information should stay private. By private we don’t mean to lock the information down in a safe for all eternity and throw away the key. We mean to restrict access to the information only to trusted parties. Be it humans or computer systems.

To remedy this we can apply file encryption, encrypted communication links, put on the correct file permissions and more. Any changes made protecting confidentiality may affect the other principles in the triad. Meaning, things may end up difficult to use.

Integrity

Information must have its integrity intact for us to trust it. By intact we mean that the information we view is the same as what the sender sent. Basically we must make sure that information has not been tampered with.

To make sure that information has not been tampered with we can make use of checksums, certificates, logging and digital signatures. It is easy to throw in any systems imaginable to support this. But it comes with a price. We must also consider educating the end users in how to use the tools we add. Say – if a user get hold of both the information and checksum and does not know how to use it – then you got a problem.

Availability

Information must be available when requested by trusted parties. The system serving the information must not be disrupted by external or internal problems. In a server environment we must say that the server must be able to withstand DDOS attacks, power spikes, power outage and more. A fail over system handling when the server crashes must also be in place. There are a lot of things that a system must handle.

Last words

There is much to say about the CIA triad. In this post i have just scratched the surface of it. If this post peaked your interest there are tons of resources on Google to check out! Happy hunting!